Potentially 15 year old macOS root access bug... yes, another one

[cox1000]

Another macOS root access bug seems to have been discovered, this time using local privilege escalation, allowing a non-root user to gain root access to a system. This is terrible, and it's apple, so it's unlikely that all the machines running older versions of macOS will get a security patch. That said, no current machines have received a patch yet either, but one is probably in the works. 

 

With the iOS throttling scandal, and the other recent macOS security flaw, Apple's ecosystem is looking more insecure and badly designed by the day.  

 

What's very interesting, is that this bug was discovered by one researcher, who also attached a very comprehensive write up of the whole thing. He didn't inform Apple of the bug beforehand, so every macOS user is now at risk. It's worth a read, and shows how easy it is to overlook absolutely massive security flaws. Although Apple has been telling us for years that they have unparalleled attention to detail...

 

Quote

On the first day of 2018, a researcher using the online moniker Siguza released the details of the unpatched zero-day macOS vulnerability, which he suggests is at least 15 years old, and proof-of-concept (PoC) exploit code on GitHub.

Since the code was made public and published on GitHub, as well as a large description (linked above), the bug is accessible and exploitable by anyone with a means to, and a will to. 

 

Initial Bug Disclosure: 

(twitter.com/s1guza/status/947603265700601856)

 

 

Technical Write Up: https://siguza.github.io/IOHIDeous/

 

Covering Articles: 

The Hacker News Article

The Inquirer Article

CSO Online Article

Security Affairs Article

 

 

Edited January 3, 2018 by colonel_mortis
Tidied up embed

[ItsMitch]

Oh Apple

[sazrocks]

What a responsible way to report such a bug!

/s

[mynameisjuan]

 

18 minutes ago, cox1000 said:

It's worth a read, and shows how easy it is to overlook absolutely massive security flaws.

Be it Apple, Windows or Linux, it still blows my mind that people freak out over a single bug and call the company lazy or the devs bad. Like I dont give two shits how big it is, the fact that people think millions of lines of code can be combed through and verified to work flawlessly its ridiculous. 

[dfsdfgfkjsefoiqzemnd]

7 hours ago, sazrocks said:

What a responsible way to report such a bug!

/s

That's what you get if you have a shitty bug bounty program that doesn't even cover your main OS. 

 

At least it's out in the open now.  Could have been worse, the code could have secretly been sold to 3-letter agencies and other cyber criminals and then nobody would have known until they lost control of the weaponized version, resulting in a Wannacry scenario for Mac. 

[mr moose]

This sort of thing is hardly news anymore. We get a handful of bugs/exploits in major software every year.  It's worrying yes, but people are making out like this sort of thing is avoidable.  The more complex systems become, the harder it is to make them secure. This is just the nature of the beast. What's more important is how the company responds.

[cox1000]

9 minutes ago, mr moose said:

This sort of thing is hardly news anymore. We get a handful of bugs/exploits in major software every year.  It's worrying yes, but people are making out like this sort of thing is avoidable.  The more complex systems becomes, the harder it is to make them secure. This is just the nature of the beast. What's more important is how the company responds.

That is certainly true, but we don't get that many root access exploits, and to have two in a year is very bad luck (or bad QC) for any company, especially Apple. They have yet to respond to my knowledge, we will probably have to wait until they come up with a similar explanation and apology to the last time something like this happens. I hope they produce more than that, but somehow I doubt it. 

 

In my opinion, it's important that people being aware of the discovery of flaws is equally important as the response of the company. Very few people run RHEL, FreeBSD, or other similarly seemingly bulletproof OSs, and these security flaws may well have consequences. I also think it is important that people see through a lot of the marketing that they put out, that software isn't perfect, that's just the nature of it. 

[mr moose]

34 minutes ago, cox1000 said:

That is certainly true, but we don't get that many root access exploits, and to have two in a year is very bad luck for them (or bad QC). They have yet to respond to my knowledge, we will probably have to wait until they come up with a similar explanation and apology to the last time something like this happens. I hope they produce more than that, but somehow I doubt it. 

The only reason any of these companies provide an explanation is for PR.  The reality is there is no need to explain this beyond it being impossible to make a flawless OS. 

[Bananasplit_00]

Yay I have no respect for someone that just drops a huge flaw into public hands without even bothering to contact the developers so they have a chance to fix it. 

[rockking1379]

1 hour ago, mynameisjuan said:

 

Be it Apple, Windows or Linux, it still blows my mind that people freak out over a single bug and call the company lazy or the devs bad. Like I dont give two shits how big it is, the fact that people think millions of lines of code can be combed through and verified to work flawlessly its ridiculous. 

especially when some people (particularly those starting out programming) cant even get small <100 line programs to work flawlessly

[captain_to_fire]

Uhm there’s a thing called software updates 

[Bit_Guardian]

1 hour ago, mynameisjuan said:

 

Be it Apple, Windows or Linux, it still blows my mind that people freak out over a single bug and call the company lazy or the devs bad. Like I dont give two shits how big it is, the fact that people think millions of lines of code can be combed through and verified to work flawlessly its ridiculous. 

Actually, they can be. Clang does it for you with its compiler-assisted fuzz testing framework. If you use the right flags, it can identify Heartbleed in the old SSL code in just a couple milliseconds and even show you the input and conditions which produce the fault, and Microsoft is now using it to compile the newer Windows kernels.

[Jito463]

1 hour ago, mynameisjuan said:

 

Be it Apple, Windows or Linux, it still blows my mind that people freak out over a single bug and call the company lazy or the devs bad. Like I dont give two ***** how big it is, the fact that people think millions of lines of code can be combed through and verified to work flawlessly its ridiculous. 

While I agree to a point, if this bug really is 15 years old, that means it has existed through multiple generations of MacOS releases.  And when you combine that with all the other recent issues that Apple has had to deal with in both their MacOS and iOS releases, it doesn't look good for the company who claims their products "just work".

[mr moose]

7 minutes ago, Jito463 said:

While I agree to a point, if this bug really is 15 years old, that means it has existed through multiple generations of MacOS releases.  And when you combine that with all the other recent issues that Apple has had to deal with in both their MacOS and iOS releases, it doesn't look good for the company who claims their products "just work".

The age doesn't really mean anything other than no one has found it.  Windows ten has bugs that are vulnerable to 17 year old office problems.  Sometimes they get found straight up and sometimes it takes a weird coincidence for them to surface.  Just think how many bugs their are open for exploit that no one has discovered yet.   As I said earlier, having bugs in software isn't a sign of a bad company, how they respond is.

[Bit_Guardian]

20 minutes ago, mr moose said:

The age doesn't really mean anything other than no one has found it.  Windows ten has bugs that are vulnerable to 17 year old office problems.  Sometimes they get found straight up and sometimes it takes a weird coincidence for them to surface.  Just think how many bugs their are open for exploit that no one has discovered yet.   As I said earlier, having bugs in software isn't a sign of a bad company, how they respond is.

And following this, to quote Chandler Carruth "The proper way to say it is less bugs, not fewer. Bugs are infinite and uncountable."

[Teddy07]

I wonder when the NSA discovered this thing

[Drak3]

1 minute ago, Teddy07 said:

I wonder when the NSA discovered this thing

16 years ago.

 

Probably.

[dalekphalm]

Regardless of whether Apple has a good bounty program or not, total fuckin douche move to release this into the open without even giving the devs the chance to fix it. 

 

Also, every OS has bugs. Period. Even Linux has them occasionally. How Apple responds will dictate how we should react to this. 

 

Quite simply, no one probably noticed it, so it being old makes no difference to how “bad” it is. 

[Matu20]

The fact that it's Apple makes it even worse. The contingent who use Macs have been led to believe that MacOS is completely safe compared to Windows, so the end-user will most likely be ignorant to news like this.

[bigkitty]

cool cool

[DrMacintosh]

The good thing is this requires physical access so really its fine until the patch rolls out. What the real concern is about is the Intel CPU hardware flaw.

[LAwLz]

2 hours ago, DrMacintosh said:

The good thing is this requires physical access so really its fine until the patch rolls out. What the real concern is about is the Intel CPU hardware flaw.

I haven't read though the github page all that carefully, but I didn't see any mention of requiring physical access to the computer.

Even if you did, it still sounds like it's pretty serious. The Intel bug is serious too, but now Mac users has multiple things to worry about until Apple releases patches.

[DrMacintosh]

9 hours ago, LAwLz said:

but I didn't see any mention of requiring physical access to the computer.

Well I found a different article other than GitHub on the Apple sub reddit lol. 

 

And any exploit that requires physical access is not a major concern for me, the Intel flaw (because thats what it is) is more concerning. 

[LAwLz]

5 hours ago, DrMacintosh said:

Well I found a different article other than GitHub on the Apple sub reddit lol. 

 

And any exploit that requires physical access is not a major concern for me, the Intel flaw (because thats what it is) is more concerning. 

Can you link that article? I don't see anything which says this requires physical access, and I think it is a very bad idea to assume it does without any evidence.

[DrMacintosh]

3 hours ago, LAwLz said:

Can you link that article? I don't see anything which says this requires physical access, and I think it is a very bad idea to assume it does without any evidence.

I actually can't link the article rn